DNS question

Essendon

Cant figure this one out guys, need help.

I had a DC (Server01) and a member server (Server02) for my 290 exam that I have carried over for the 291. So I promoted the member server to the role of DC. It is an additional DC in the same domain contoso.com. I added the role of DNS to Server01 without any problems. All settings are good, A, NS, SOA and SRV records are all there.

But when I add the DNS role to the other DC i.e. Server02 whether I use the Manage your Server wizard or through Add/Remove Windows Components, it tries to add the role but ends up at saying "Cannot complete the wizard". I looked in the Event Viewer on both servers if there were any DNS related errors, but found none. When I open dnsmgmt on Server02, it doesnt have itself in the box, only Server01 is there. Even when I click Connect to DNS Server and try to connect to itself, it says that the server is not available. Similar thing on the other server as well, click the Connect to DNS Server wizard and enter in server02.contoso.com, it says the server is not a Windows Server 2003/2000 Computer.

Settings for the two servers:

Server01

IP Address : 192.168.0.101
Mask: 255.255.255.0
Preferred DNS Server : 192.168.0.101

Server02

IP Address : 192.168.2.128
Mask: 255.255.255.0
Preferred DNS Server : 192.168.0.101

The IP address of Server02 was automatically assigned by the VMWare network adapters. I just made the same address static. Both servers can ping each other by name and by IP address. Launching an NS lookup on Server01 to find Server02.contoso.com is successful too.

So, why cant I add the DNS role to Server02?

Please let me know if you need more information to troubleshoot my problem.

astorrs

Are there any error/warning events in the event log (look in both Application and System)

Essendon

Just looked up the logs on server02, Andrew. Large number of warnings and a few errors...

Warnings and errors are on the lines of " The DNS server could not load the Active Directory" and "The DNS server could not find the primary or secondary zones for this domain". There are other errors saying that the computer could not get AD replication from any other DC's. Also there was one saying there were no AD-integrated peers located. Ok, another one saying something about some FSMO errors. Heaps of errors Doesnt look good, does it?

I have tried removing the DNS roles from both computers and adding again, hasnt made a difference. Something very wrong going on.

astorrs

MobilOne wrote:

I have tried removing the DNS roles from both computers and adding again, hasnt made a difference. Something very wrong going on.

Oh dear, did you remove them at the same time?

Can you perform the following command against both DCs (where <dc#> is the name of the DC)?

"net view \\<dc#>"

and tell me if you see the NETLOGON and SYSVOL shares?

Essendon

astorrs wrote:

MobilOne wrote:

I have tried removing the DNS roles from both computers and adding again, hasnt made a difference. Something very wrong going on.

Oh dear, did you remove them at the same time?

Can you perform the following command against both DCs (where <dc#> is the name of the DC)?

"net view \\<dc#>"

and tell me if you see the NETLOGON and SYSVOL shares?

Sorry, I'll rephrase that. I did NOT remove the DNS role from server01, only removed it from server02.

astorrs

Okay, much better.

What about the shares?

Essendon

Sorry Andrew, I'll have a look at this tomorrow morning now. Weekend's here and friends want me to join them for a bbq. Will reply tomorrow.

astorrs

MobilOne wrote:

Sorry Andrew, I'll have a look at this tomorrow morning now. Weekend's here and friends want me to join them for a bbq. Will reply tomorrow.

Oh definately, have a for me...

wedge1988

Server01

IP Address : 192.168.0.101
Mask: 255.255.255.0
Preferred DNS Server : 192.168.0.101

Server02

IP Address : 192.168.2.128
Mask: 255.255.255.0
Preferred DNS Server : 192.168.0.101

Im not 100% on this, but does it matter that your second server is using the first servers DNS address while you try to install DNS? I would assume you should be using a 127.0.0.1 address for loopback? If you wanted to use the first server as a DNS server you should set up a secondry DNS zone not a fresh DNS install???

im sorts of right lol, 291 in a few months for me!

Essendon

Ok, back after a much needed sleep-in. Had a long night

Did a net view\\ against both DC's. Server01 had both netlogon and sysvol among other shares show up. But Server02 did not have either netlogon or sysvol come up(showed other shared folders that I have).

Saw an error on Server01 in the Application event log saying that "MS DTC coud not correctly process the DC Promotion/Demotion event and that it would continue to use the current settings". Another saying that it could not connect to the local SAM server.

Seems Server02 was not correctly promoted to the role of DC.

astorrs

Correct. DNS won't load the zones because they don't exist (since they are AD integrated and the DC services are not functioning).

Demote the server again and rerun dcpromo. Let me know if you encounter an error trying to demote it (there is a manual way, it's well documented, but is much more complex )

Essendon

Tried to demote server02 using the dcpromo wizard gives me the following error:

Operation failed because AD could not transfer the remaining data in directory partition
CN=Schema, CN=Configuration,DC=contoso,DC=com to Domain Controller server01.contoso.com
The RPC server is unavailable.

Now, I started the RPC service on server01 (it was turned off), tried to run dcpromo again, same error.

Essendon

Could this above error be because this DC is pointing to server01 for name resolution?

I tried to point server02 to itself but when I run dcpromo again, it gives me a rather ominous message saying that " Since no other DC's could be contacted, all AD changes for this domain contoso.com will be lost" Thought I'd better ask before I went ahead.

astorrs

Are you really attached to server2? Or can you just rebuild the machine (its just a basic install right)?

If you're okay with starting over go ahead and start the rebuild, while its running follow the steps here on server1 to cleanup the mess server2 probably left behind: http://support.microsoft.com/kb/216498

Essendon

What would you mean by "directly attached"? It's a virtual machine, if that helps.

And that's a pretty long instruction for removing stuff left behind by the unsuccessful demotion (not that I would mind doing it, if it's the only way out)

Essendon

I just tried to force a replication between the two DC's (while sitting at server01). Gave me a similar error that the RPC server is unavailable. Also said "This operation will not continue. This condition may be caused by a DNS lookup problem"

My server02 seems very sick to me.

astorrs

Yup deathly ill.

Follow the instructions in the KB article, it's good experience (I've probably done it 20 times in the past).

Sie

good link Astorrs, popped in to see if I could help but seems like you've got another one nailed.

Would definetly recommend the rebuild, sometimes its easier to start again than to find a needle in the haystack.

If its a VMWare virtual machine dont forget you have snapshots incase this happens!

Essendon

Just a question with the VMWare snapshots (server02 is a virtual machine), Sie. What are these things? Some kind of restore points?

Jeez, sometimes I wish I was a plumber or something, these computers get to me man

But, I aint one to fall back, I'll rebuild this sick server of mine and get it up and running. Any other suggestions before I get started.

Sie

MobilOne wrote:

Just a question with the VMWare snapshots (server02 is a virtual machine), Sie. What are these things? Some kind of restore points?

Jeez, sometimes I wish I was a plumber or something, these computers get to me man

But, I aint one to fall back, I'll rebuild this sick server of mine and get it up and running. Any other suggestions before I get started.

Yes snapshot are basically restore points and are available within VMWare, I dont think theres anything similar in Virtual PC thou unfortunatly.

I tend to create one once I have setup the Vanilla Server then others when 'large' things are configured then if things go wrong or I want to start again I can just revert to the first snapshot.

Which you using?

Remove the second server and follow Astorrs link on the first DC, shouldnt be too long setting up a new one if its just a DNS server.

dynamik

Snapshots contain the state of a VM at a specific point in time. Let's say you create a snapshot and then delete some files. You can revert back to the snapshot, and the files will remain, just like they were when you created the snapshot. This works for software installations, configuration changes, etc.

VMWare Server can only take one snapshot. VMWare Workstation is much more flexible.

Essendon

Yeah, I'm using the free VMWare Server. I'll give it a shot as soon as I can.

Essendon

I followed that KB article to the word, everything goes smoothly till the point where I type in "Remove selected server" in the metadata cleanup menu. When I hit enter, it gives me an error " The connected server will not remove its own metadata ".

I was running the ntdsutil from the healthy server (server01). Does the above error mean that I will have to remove the metadata manually??

I googled the above error, nothing much came up. Please help.

Sie

did you ever run the dcpromo /forceremoval option?

Theres also another good guide on this at

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Essendon

did you ever run the dcpromo /forceremoval option?

When I attempted this, it said this action would remove AD from this DC without updating forest metadata. Unless this is the last DC in the forest, you will need to manually configure AD forest metadata.

Now, this sick DC is NOT the last DC in the forest. So if I clicked next, I would have to manually configure AD metadata? And then, reinstall the OS?

Also, that link that you posted Sie, is pretty good in its own right, but exactly the same as the one Astorrs posted. Thanks anyways!

Sie

lol, sorry bud I didnt have chance to run through the whole page but thought it may help.

dcpromo /forceremoval is run from the DC you are demoting, just wondered if you had tried this option.

See here:
http://support.microsoft.com/kb/332199

I havent personally had to remove the metadata manually myself but im looking around to see if theres anything that can help you.

If i find anything I will let you know

Essendon

Seems like I'm the one having the most problems preparing for any exam. I ran into plenty of problems when I was preparing for the 290.

Yeah, I know that dcpromo /forceremoval is run from the DC that I am trying to kill. I dont want to do it on my only working DC!!

Essendon

New errors on server01. One says that the Knowledge Consistency Checker has detected that successive attempts to replicate have consistently failed.

Another saying that this server is the owner of the FSMO role but does not consider it valid. For the partition which contanis the FSMO, this server has not replicated successfully with any of its partners snice this server has been restarted. Replication errors are preventing validation of this role.

Are all these errors DNS related? Atleast they sound like they are.

Sie

Is server 2 still down??

As far as I can tell you AD on Server 1 still thinks Server 2 is there and its still a DC, correct?

Essendon

Sie wrote:

Is server 2 still down??

As far as I can tell you AD on Server 1 still thinks Server 2 is there and its still a DC, correct?

Server2 is still down and server1 still thinks that it is a DC. In fact, it always has.

Essendon

I have installed a member server, named it server3. But havent promoted it to a DC yet, will wait till someone tells me how to clear the mess server2 has created. As I said before, that link that astorrs posted still doesnt work for me. Still get that error "The connected server will not remove its own metadata ".

Enough for the night.

~~ Cracks open a cold beer ~~